|
|
|
|
|
|
by dgl
969 days ago
|
|
|
Cute, I found a similar issue in OpenBSD's tar as mentioned, I didn't share the exploit before but basically a long filename does it. Something like: https://gist.github.com/dgl/355840320535bf8ef8b70f2e0722bf65 (I reported this one to OpenBSD but they didn't fix it. Much like Busybox, which has been known for years.) |
|
|
I emailed the Tar maintainers privately because I thought they might consider it a security vulnerability, however mild. They fixed it promptly but didn't want to make a CVE fuss out of it.